Re: [nznog] [outages] Open Resolver Project

10 Jun 2013

      On 11/06/13 21:26, Nathan Ward wrote:
...
On 11/06/2013, at 9:13 PM, Sebastian Castro 
wrote:
...
On 11/06/13 20:41, Nathan Ward wrote:
...
On 11/06/2013, at 6:31 PM, Dave Mill  wrote:
...
Then hack bind to return one IP address as an answer to any 
standard query. We just did A and MX. That IP points to a
server under your control. Install Apache, postfix,
courier-pop3d, etc on there and serve various types of bogus
data telling people what to do.
Yeah, tricks like this are fun to do, too :-)
I've wondered also about only spoofing replies for say, google
for a month or so, before shutting it off entirely.
Also, such a thing should (I think) only return A records where
a real A record already exists - maybe a patch for bind or
unbound is needed to do this..
Please please avoid to do this at all costs... I've seen those
"clever tricks" before and they cause more breakage than desired.
Specially those deploying v6 networks see those tricks as a pain,
because A records are rewritten but not AAAA records
Do you mean the bit I suggested re. serving only if a record of that
type exists, or do you mean spoofing stuff entirely?
I understood complete spoofing.
...
If you mean the latter, and the choice is cut the user off entirely,
or server them a bunch of banners saying "don't do that, we already
told you", I think I'd prefer the latter. Open to opposing views and
alternative friendly ways to manage it, other than simple cut off.
I understand the problem you are trying to solve, and probably if I were
on your shoes, I would attempt something similar. But given I'm on the
other side of the road, serving authoritative data, I don't want someone
to tamper with my data on transit.
...
...
...
Maybe you only spoof A records, and leave CNAME etc. untouched.
What do you do about DNSSEC?
Break it?
How many end hosts does that likely impact, in todays world? Do many
end hosts care about DNSSEC, or is it just nameservers at ISPs, some
businesses, and nerdy households so far? Is there a way to test, if
you're a service provider? I'm not sure the usual javascript checks
would work well, unless you also provide a large amount of the end
users' content.
You just touched a very sensitive nerve. One of the missing parts of the
DNSSEC ecosystem is how to guarantee the validating resolver is playing
nice. Because the current protocol only provides a one-bit flag to
signal if the data was authentic or not, a non-cooperative resolver can
simply lie and tell you... "yeah, this data is valid, see the flag?"

In practice, very few applications use that flag, or do something useful
with the signatures, so answering your question it will likely go
unnoticed.

If you want to test if someone is using your cache resolver as
forwarder, you can inspect in DNS queries if the DO (DNSSEC OK) bit is
on, or if they query for DNSKEY/DS records. A "normal" end host won't do
that. If you are running BIND, you can activate the query log and
interpret the flags:

http://jpmens.net/2011/02/22/bind-querylog-know-your-flags/
...
I wonder if the numbers are much different if you're talking about
hosts configured with recursive name servers on a different network.
-- Nathan Ward
Cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535